1. Introduction
In the credit business, the key issue is to propose a reasonable amount of loan that would not be beyond a borrower’s repayment capability. During the loan approval process, the bank would conduct a credit investigation on the borrower, and then generate a credit report, which includes the borrower’s loan records in other banks, financial status etc., to calculate the amount of the loan the borrower can apply for and make sure it would not exceed the repayment ability of the borrower.
Before the appearance of the credit investigation industry, banks mainly conducted credit investigation on borrowers in the following three ways: visiting the borrower, consulting other banks, reviewing previous loan records in local database, etc. [
1]. Yet, this has some assicated problems.
Data privacy protection issues. The loan/repayment records of borrowers at a bank are not only part of the privacy data of the borrowers, but also the business assets of the bank. Protecting the borrower’s privacy data are a concern of the banking industry, but if the bank directly shares the loan/repayment data with other banks, the privacy of the bank and the borrower will be disclosed.
Data security issues. In traditional ways, the borrower’s data are stored in a central server, which might expose all the data to hackers. Once the hacker successfully invades the database, the borrower’s private data are leaked, and on the other hand, the hacker can maliciously modify or delete the user information, so as to interfere with the bank to make the right decision on the borrower’s repayment ability.
Data accuracy issues. The borrower’s data are invisible assets to a bank. The monopolization of a borrower’s information would improve the competitiveness of a bank, but the inter-bank data sharing would undermine the monopolization. Therefore, to improve the competitiveness, the bank might share the wrong information with peers [
2].
With the emergence of the credit industry, the credit data of the borrower are collected by the credit reporting center, so are their data kept in banks. When a borrower applies for a loan in a bank, the credit reporting center would generate a credit report, on which the loan information of the borrower in other banks appears in plaintext, which definitely leaks the borrower’s privacy to the other banks. On the other hand, it confronts data with the risk of being modified or deleted in the process of transmission and storage.
In 2008, Nakamoto [
3] first proposed the concept of blockchain, which has attracted worldwide attention. In addition to the research on blockchain technology itself, researchers are actively exploring the application of blockchain in a wide range of industries. Blockchain technology is an unforgeable, non-tamperable and traceable data structure built in a peer-to-peer (P2P) network. It is a distributed data storage system that uses P2P networks to propagate transactions and uses cryptography to connect blocks in the network; some other techniques such as merkle tree, time stamp, and smart contract are also applied on blockchain. Blockchain, as a distributed ledger, prevents data in the ledger from being tampered and does not require a trusted third party to prevent double-spending. It is maintained together by a lot of nodes to avoid single points of failure, and the data kept on the blockchain can be accessed by all nodes to reduce additional communication.
Cryptographic technology plays an important role in data protection. For example, encryption algorithms guarantee the confidentiality of data and prevent data from being modified during transmission; one-way hash function (hash algorithm) can guarantee the integrity of data; message authentication code can guarantee the integrity and authenticity of the data; data signature can guarantee the integrity, authenticity and the non-repudiation of the data. With the continuous improvement and development of cryptographic algorithms, cryptographic technology has been applied in various fields.
Based on blockchain and cryptographic technology, this paper constructs a mechanism to avoid the borrower applying the amount of loan in excess of his/her repayment ability from different banks, on which all the verified data are uploaded and encrypted, so that the loan information can be shared with all the participants on a chain and cannot be maliciously modified. This paper uses the Bulletproofs algorithm to optimize the communication volume of the proposed mechanism.
1.1. Contribution
Proposing a blockchain-based cross-bank over-loan prevention (CBOL-ring) mechanism. First of all, the mechanism uses commitment, public key encryption, ring signature, etc., which can not only solve the problem of privacy leakage in the process of data transmission and sharing, but also realize the co-verification of data without leaking sensitive information. Secondly, the mechanism uses blockchain technology to effectively prevent data from being modified or deleted. The involved banks can directly access to relevant data based on the openness of blockchain, thereby reducing the communications between banks and credit reporting center.
Proposing a blockchain-based cross-bank over-loan prevention mechanism with low communication volume (CBOL-bullet). In this paper, the Bulletproofs algorithm is used to further improve the CBOL-ring mechanism proposed above to reduces the size of the range proof generated by the CBOL-ring mechanism, thereby reducing the size of the communication volume and saving transmission resources during the data transmission process.
Evaluating the feasibility and security of the two mechanisms mentioned above through experiments.
1.2. Organization
The remaining part of this paper is organized as follows. In
Section 2, we analyze some related works. In
Section 3, we review a few terminologies and algorithms used in the work. In
Section 4, we propose a system structure and adversarial model. In
Section 5, we propose the CBOL-ring mechanism. In
Section 6, we propose the CBOL-bullet.
Section 7 is security and performance analysis. A conclusion is drawn in
Section 8.
2. Related Work
Since blockchain has been proposed, the characteristics of decentralization, openness, transparency, and non-tampering have become hot research topics. With the development of blockchain technology, the application of blockchain tends to be extensive. As a result, more attention has been given to the issue of privacy protection. Although Bitcoin proposed by Nakamoto uses pseudonymous addresses to protect privacy, through analysis of transactions, people can link multiple addresses together, and the transaction amount and address of Bitcoin are publicly visible, consequently, the Bitcoin system does not achieve confidentiality. In order to protect the privacy of information on the blockchain, researchers have made more efforts in the recent years.
Some cryptographic techniques (such as Pederson Commitment [
4], ring signature [
5], zero-knowledge proof [
6], etc.) are used in a blockchain. In 2013, Miers et al. [
7] proposed Zerocoin, a distributed e-cash system. The system uses non-interactive zero-knowledge (NIZK) to hide the sender’s address, but the recipient’s address and amount transferred are not hidden. Through this scheme, individual Bitcoin transactions are not linkable, and it does not introduce a trusted third party, compared to other e-cash schemes. In 2014, Sasson et al. [
8] proposed Zerocash, a decentralized anonymous payment currency scheme based on Zerocoin. In Zerocash, a zero-knowledge Succinct Non-interactive Arguments of Knowledge (zk-SNARK) is used to hide the sender’s address, transaction amount, and recipient’s address for privacy protection. In order to keep the amount confidential, in 2015, Maxwell [
9] proposed the concept of confidential transactions, which refers to a cryptographic tools used to strengthen privacy in Bitcoin. Through confidential transactions, it can achieve the verification of the amount without revealing the amount (i.e., the encrypted state) and cannot create or destroy any Bitcoin. In 2015, the RingCT protocol was proposed by Noether [
10] and used for confidential transactions in Monero. The ring signature protocol that forms the RingCT protocol was used to hide traders and transactions, but the protocol comes at the expense of the size of the transaction. In 2016, Jedusor [
11] proposed MimbleWimble protocol. The protocol uses Pedersen Commitment to hide transaction amounts for confidential transactions, and uses a range proof to prevent users from launching spill attacks. In [
12], Monero not only uses a one-way accumulator and knowledge signature, but also uses Pedersen Commitment to hide the transaction amount. In zerocoin [
7], Pedersen Commitment is used to generate commitment for newly generated coins. In zerocash [
8], the transaction amount is hidden in a commitment. In 2017, Sun et al. [
12] proposed the RingCT 2.0 protocol, in which the function of ring signature (linkable ring signature) is implemented by a one-way accumulator and a knowledge signature. Compared to RingCT protocol, this protocol is no longer at the expense of the size of the transaction.
Coin mixing is a technology to enhance anonymity by mixing the coins of multiple users. In 2013, Maxwell [
13] proposed Coinjoin; in this protocol, many users can mix their inputs together; through the mix, the user’s input and output are not linkable. In 2014, Mixcoin protocol was proposed by Bonneau et al. [
14]; in this protocol, the user sends the coin to a reliable coin-mixing server for coin mixing, and then the server returns the mixed coin to the user. Although the protocol guarantees the unlinkability of the input and output addresses, it introduces a trusted server that knows the information about a user’s input and output addresses, so the server may reveal private information and be prone to single points of failure. This year, Moreno-Sanchez et al. [
15] proposed CoinShuffle to enhance the anonymity of Bitcoin, CoinShuffle protocol is a fully decentralized coin mixing protocol that does not require a trusted third party. In the protocol, the user mixes his own coin with the coins of other people participating in the coin mixing, and the protocol outputs the coin after mixing to a newly created specific address. The protocol also cuts off linkability between input and output addresses. Compared to the Mixcoin protocol, CoinShuffle protocol does not require a trusted center and there is no mixing fee. Dash [
16] also uses coin mixing techniques to achieve anonymity. Dash designed a two-tier network. The basic functions of the blockchain (e.g., mining, consensus, etc.) are implemented in the first layer of the network, and the master node performs coin mixing operations on the second layer of the network.
From the related works mentioned above, we can see that since the blockchain was proposed, not only the blockchain technology itself and digital currency have been extensively studied by researchers, but also its privacy protection technology has been a notable research topic, however, at present, there are few studies on privacy protection of account balances.
With the emergence of blockchain technology, blockchain has been widely used in IoT [
17], healthcare [
18], finance and other fields; the application of blockchain to the financial field can tackle the pain points of costy and complicated business processes in traditional financial industry, so that empowering the inclusive finance area as well as changing the landscape of the industry. Currently, blockchain is widely used in digital currency, payment settlement, digital bills, credit management, equity certificate, stock exchanging, insurance management, and other fields.
In the traditional credit system, third-party credit reporting agencies (such as Public Credit Registries (PCR)) used to conduct credit investigations on borrowers [
19,
20], but they were vulnerable to privacy leakage and information tampering. When sharing information, banks may suffer from single points of failure. In order to avoid many problems, Chang et al. [
21] proposed a business integrity modeling and analysis framework to provide financial, operational and liquidity risk analysis. In recent years, people have begun to use blockchain to solve problems in the banking industry. In 2017, Sun et al. [
22] proposed MBDC, a model based on permission blockchain technology; this model improves the scalability of the model and the speed of payment by combining the chain structure and ChainID. The user’s identity information and transaction information on the chain can be separated by the user account address protocol. In 2018, Hu et al. [
23] proposed a delay-tolerant payment scheme based on the Ethereum blockchain, which aims to solve the problem that users cannot obtain bank services in real time remotely. By deploying user balance smart contracts, banks record users’ balances in fiat and digital currencies and distribute mining rewards. After successfully establishing a connection with a remote account, the bank can synchronize the user’s balance with other nodes and process the currency exchange request. However, this solution seems to put the user’s balance information and other private information at an unknown risk. In the same year, Wang et al. [
24] proposed a theoretical credit model based on blockchain technology, which enables small and medium-sized enterprises to evaluate bank loans by using blockchain technology; it also achieves a distributed consensus record of success of debt repayment or debt default rendered by using blockchain technology. In the same year, Goharshady et al. [
25] proposed a scheme that uses a blockchain smart contract to generate a credit report required by a bank loan. In this scheme, the credit report does not need to be generated by a credit reporting center, which can solve the problems of slow information update, inconsistent data, unavailability of information, and leakage of sensitive customer information of traditional credit reporting center. The scheme uses cryptographic technology to protect sensitive information that appears in the report. With this scheme, banks or customers can verify whether the report contains the required information that within a certain period of time. In 2018, Godfrey-Welch et al. [
26] applied private blockchain technology to payment card transactions. Private blockchain uses public key cryptology to verify cardholder identity and records transactions; it can provide necessary verification information without introducing third parties by using private blockchain technology. In 2019, Wang et al. [
27] proposed a new data privacy management framework which is used for financial sector, this framework is based on blockchain technology. The framework is composed of a data privacy classification method, a collaborative-filtering-based model, and a data disclosure confirmation scheme for customer strategies. The framework is used for opening banks. In 2019, Yang et al. [
28] proposed a new loan system based on smart contract. To resolve the problem of the traditional loan system, the new loan system combines blockchain and smart contract, it can improve regulatory capacity and loan efficiency. In 2019, Mohamed et al. [
29] proposed an approach based on blockchain; it can be used to track money by the serial numbers.
In addition to many experts and scholars beginning to explore the application of blockchain in banks, banks themselves are also actively looking for the combination of blockchain and banks’ business, but it can also be seen that there is not much research on bank loans at present. This article intends to combine blockchain technology and cryptographic technology to design a over-loan prevention mechanism that can protect the data privacy of borrowers and banks. At present, the credit report is mainly generated by a credit reporting agency. The credit report mainly contains the following information: identity information, which include basic information such as name, ID number, and contact information, borrower’s previous loan information and lease in the borrower’s name, details of the borrower’s credit report, utilities, medical expenses, et al., as well as some other public information [
30]. It can be found that in the credit report, in addition to some public information of the borrower, there are some private information, such as the borrower’s loan amount in other banks. If these amounts are hidden, the bank may not be able to correctly judge the borrower’s repayment ability, resulting in the problem of excessive loans. Moreover, Goharshady et al. [
25] pointed out that the report issued by the credit reporting agency may contain erroneous information. Therefore, this paper makes full use of cryptographic technology to protect the sensitive information and verify whether the loan is an excess loan. It is meaningful to use blockchain to enhance bank participation, reduce the role of credit bureaus in loans, and increase data credibility. At the same time, the algorithm used in this article is different from the application of blockchain in the medical field. As in [
31], the author uses attribute-based encryption and cross-domain access strategies to enable users of different medical institutions to access patient data. This paper uses the elliptic curve encryption algorithm to encrypt the data, uses the range proof, Pedersen Commitment and other algorithms to achieve public verification of private data, only the bank that handles the business can access the plaintext data, and other banks and audit nodes can verify the validity of the data by accessing the proof data. Although both papers are aimed at data privacy protection for cross-domain scenarios, due to different restrictions on access to data, the algorithms used are different as well.
3. Preliminary
In this paper, we use ring signature, Pedersen Commitment, Elliptic Curve Cryptography (ECC) Algorithm, and so on, to protect the borrower’s private information. This section will review the definition of the above algorithm.
3.1. Ring Signature
In our mechanism, we use a variant of Borromean Ring Signature (BRS) proposed in [
32] to generate the ring signature of the maximum/loan/repayment amount. The bank and the audit node can verify whether the amount is positive and whether the amount is within a certain range by combining the signature and the range proof, that is, whether the borrower is over-loan.
Definition 1. An algorithm that uses its own signature private key and group member public key as signature keys. The algorithm does not require the consent of other members when signing, and even other members do not know that their public key is one of the signature keys. The algorithm has unconditional anonymity and unforgeability.
Let } be a ring signature algorithm. In this algorithm, generates the signature keys and verification keys that based on an elliptic curve, the order of the elliptic curve is , the base point is , and another point selected from elliptic curve is whose discrete relationship with is unknown, and are two large prime numbers that | -1. generates a signature when inputting signature keys and message . inputs a tuple (, , ) and outputs 1 if the signature is valid, otherwise 0.
3.2. Range Proof
Definition 2. Range proof can verify that the number is in a correct range when the number is hidden, because only unsigned integers can pass the range proof verification.
The ring signature public key used in this scheme is generated based on the value of the jth bit in the binary representation of the loan/payment amount. When the th bit value (i.e., ) is 0, the ring signature public keys are = + = and = − = − ; When the jth bit value (i.e., ) is 1, the ring signature public keys are = + and = . Therefore, no matter the value of the th bit is 0 or 1, the borrower can use as the private key and as the verification public key to generate a valid ring signature. When the value of th bit is neither 0 nor 1 the borrower cannot generate a valid ring signature with as the private key and as the verification public key, the bank or audit node cannot prove the validity of the ring signature during verification, and the verification will not pass. Therefore, the success of the signature verification can prove that the value of the th bit is 0 or 1. By verifying ring signatures, it can be proved that the borrower’s amount is within the range [0, ).
3.3. Elliptic Curve Cryptography (ECC) Algorithm
In the proposed mechanism, during the loan or repayment process, the borrower needs to send his loan/repayment amount to the bank that handles the loan/repayment business. In order to achieve the secure transmission of data, even if an attacker obtains the request sent to the bank by the borrower, he/she cannot obtain the hidden data, and the borrower uses the Elliptic Curve Cryptography (ECC) algorithm [
33] to encrypt the amount to ensure secure transmission.
Definition 3. The algorithm based on an elliptic curve converts the input plaintext into ciphertext (i.e., two points on the elliptic curve), and without the decryption key, the ciphertext will not be readable by others. The ECC algorithm is based on the elliptic curve discrete logarithm problem.
Let = {, , } be an elliptic curve cryptography algorithm. In this algorithm, generates a key pair (, ), where is secret key, is public key. is used to obtain ciphertext when inputting the tuple (, ). decrypts the with to obtain the message . Of course, the correct message can be decrypted only if the private key is correct. If the private key is incorrect, the plaintext cannot be obtained.
3.4. Pedersen Commitment
The Pedersen commitment [
4] is used to commit a amount, which can be the loan amount, or the repayment amount. During the loan process, because all data are hidden, if the borrower wants to over-loan, he/she may modify the hidden data so that the data recorded by the bank is less than the actual amount of the borrower’s loan. Because the commitment is binding, after the commitment of the amount is generated, if the borrower modifies the loan/repayment amount presented to the bank without modifying the corresponding commitment, the bank will not pass the verification; in addition, the commitment is hidden and if the borrower or bank does not disclose its loan/repayment amount, no one else obtains the loan/repayment amount of the borrower through commitment.
Definition 4. The Pedersen Commitment we used is based on the elliptic curve discrete logarithm problem. it consists of two phase, the commit phase and the open phase. In this protocol, Alice commits a value to Bob, but the value is temporarily hidden and Bob does not know what the value is. After a period of time, Alice sends the value hidden in the commitment to Bob, and Bob can verify that the value has not been modified before it was broadcast by Alice. Hiding and binding are two properties of the Pedersen commitment.
Let = {, , } be a Pedersen commitment. In this protocol, selectes some parameters, the lager prime number , the generator of and a random number belonging to . outputs a commitment when inputting the value that needs to be committed, the generator , the random number and another random number belonging to . publishes the committed value and the random number , and outputs 1 if the commitment has not been modified, or 0 otherwise.
3.5. Elliptic Curve Digital Signature Algorithm (ECDSA)
In this mechanism, in order to verify that the commitment of the amount is honestly generated by the borrower, it is necessary to prove that the commitment
=
of the random number
is honestly generated by the borrower, that is, the commitment
is only related to point
, not to point
. Therefore, it is necessary to generate a proof about the discrete relationship between point
and the commitment
. Through the proof, it can prove that the borrower did not hide part of the amount in the commitment
to achieve the purpose of over-loan. In the ECDSA [
34], the borrower uses the random number
as the private key and
as the public key to generate a signature. By judging the validity of the signature, the bank judges whether
is only related to point
.
Definition 5. The ECDSA is based on the elliptic curve discrete logarithm problem. In this algorithm, the singer can sign a message by a private key, and the verifier can verify the signature by a public key. This algorithm is non-repudiation, integrity and authentication.
Let = {, , } be an elliptic curve digital dignature algorithm. generates a key pair (, ), where is secret key, is public key. The curve used in is an elliptic curve over a finite field , the elliptic curve’s base point is , and the order of is . outputs a message ’s signature when inputting the message , and a random number selected by signer. When the tuple (, , ) is input, outputs 1 if the signature is valid, or 0 otherwise.
3.6. Bulletproofs Algorithm
In the CBOL-bullet, we use Bulletproofs algorithm proposed in [
35] to reduce the size of range proof. The Bulletproofs algorithm does not require trusted settings and only depends on the discrete logarithm problem. The range proof size generated by the algorithm is logarithmic. The Bulletproofs algorithm can verify a secret value is within a given range, and the inner product is used to reduce the size of the range proof.
Let = {, , } be a bulletproofs algorithm. takes the safety parameter as input and takes , , , as output, where and are two points on the elliptic curve, and the discrete relationship is unknown, and and are the elliptic curve dots vector. generates the range proof of the amount. The prover first converts the amount into a binary string =, computes =, then chooses the random numbers and , computes , . After receiving the random numbers and sent by the verifier, the prover constructs polynomial , chooses the random numbers and , and then computes and , where and are the coefficient of the polynomial . After receiving the random number sent by the verifier, the prover generates and . Finally, the prover sends the range proof generated to the verifier. After receiving the range proof from the verifier, verifies whether the range proof is valid. Firstly, the verifier computes , and judges whether is equal to <>, then the verifier computes and , judges whether is equal to . If the verification is passed, the amount hidden in the range proof is in the range [0, − 1]; otherwise, it indicates that the amount is overflow.
6. Blockchain-Based Cross-Bank Over-Loan Prevention Mechanism with Low Communication Volume
In the CBOL-ring mechanism proposed in
Section 5, a combination of ring signature algorithm and range proof can verify that a value is in a specific range. However, through analysis, it is found that when the amount is divided into bits, the communication volume is affected by the length of the binary string, and is basically linear with the length of the binary string. In the CBOL-ring mechanism, the borrower can choose the length of the binary string that meets the basic security when generating the range proof, but if higher security is required, the length of the string must be increased. At this time, the CBOL-ring mechanism will cause communication volume problems. When the communication volume is large, it will not only affect the communication efficiency, but also affect the probability of a successful transaction into the block, because each block in the blockchain has a size limit, when the storage space required for a transaction is too large, even the transaction is legal, the transaction may not be able to enter the blockchain normally. Therefore, in order to meet the requirements of different degrees, it is necessary to reduce the impact of the length of the binary string on the communication volume by using an efficient range proof algorithm.
The CBOL-bullet uses the Bulletproofs algorithm to change the way in which range proofs are generated to reduce the amount of communication during the loan and repayment stage. In the optimized mechanism, the way to generate the commitment of the amount, the commitment of random number, the proof about the discrete relation between and the point , and the ciphertext of amount are all consistent with the CBOL-ring mechanism. The following introduces the CBOL-bullet.
CBOL-Bullet
Stage 1: Registration. All banks in the banking union generate for borrowers, the maximum loan limit , and the public and private keys (, ) used by the ECC algorithm, and then the , and all public keys are sent to the borrower, where = 1, 2, …, , is the number of banks in the banking union.
Stage 2: Initialization. This stage is the same as the initialization stage in the CBOL-ring scheme.
Borrower: After registering, the borrower needs to generate the proof for the maximum loan limit .
- –
generates the commitment of and the commitment of random numbers , as well as the knowledge proof about the discrete relationship between and the point .
- –
sends , , , , , to the bank union.
Bank union: When the bank union receives the data form the borrower, any bank in the banking union
- –
verifies the validity of the commitment and the signature .
- –
sends , , , , , to audit node, if all the data are valid; otherwise, the bank union rejects all the data.
Audit node: When the audit node receives the data from the bank, they also
- –
verify the validity of the commitment and the signature .
- –
upload = {, , , , } to blockchain, if all the verification is valid; otherwise, the audit nodes reject the .
Stage 3: Loan. This stage is similar to the loan stage in the CBOL-ring scheme. This stage consists of three parts: the borrower generates the proof, bank verifies the proof, and audit nodes verify the proof.
Borrower: When the borrower wants to loan from a bank, he/she
- –
calculates the commitment of the loan amount , the commitment of the new remaining loanable amount , and generates the knowledge proof about discrete relationship between and the point by the signature function of the ECDSA algorithm, that is, is used as the private key, and is used as the public key to generate the signature, where = −, = −, and are the borrower’s current remaining loanable amount and the corresponding random numbers.
- –
generates the range proof for the amount by using the GenRange function of the Bulletproofs algorithm. The equation is as follows:
- –
encrypts the loan amount using the ECC algorithm to obtain the ciphertext .
- –
sends , , , , , , , , to the bank.
Bank: When the bank receives a loan request from the borrower, it
- –
decrypts the ciphertext of the amount by using the decryption function of the ECC algorithm to obtain the actual loan amount of the borrower, and calculates the commitment of the loan amount to verify the validity of the commitment.
- –
verifies the validity of the range proof through the VerRange function of the Bulletproofs algorithm. The equation is as follows:
- –
verifies the validity of the knowledge proof by using the validation function of ECDSA algorithm.
- –
sends , , , , to the audit nodes, if all the verifications are correct; otherwise, the bank rejects all the data.
Audit node: When the audit nodes receive the data sent by the bank, they
- –
verify the validity of the range proof through the VerRange function of the Bulletproofs algorithm. The equation is as follows:
- –
upload = {, , , , } to blockchain.
Stage 4: Repayment. This stage is also similar to the repayment stage in the CBOL-ring mechanism.
Borrower: When the borrower wants to repay, he/she
- –
calculates the commitment of the loan amount , the commitment of the new remaining loanable amount , and generates the knowledge proof about discrete relationship between and the point by the signature function of the ECDSA algorithm, that is, is used as the private key, and is used as the public key to generate the signature, where = + , = + , and are the borrower’s current remaining loanable amount and the corresponding random numbers.
- –
generates the range proof for the amount by using the GenRange function of the Bulletproofs algorithm. The equation is as follows:
- –
encrypts the repayment amount using the ECC algorithm to obtain the ciphertext .
- –
sends , , , , , , , , to the bank.
Bank: When the bank receives a repayment request from the borrower, it
- –
decrypts the ciphertext of the amount by using the decryption function of the ECC algorithm to obtain the actual loan amount of the borrower, and calculates the commitment of the loan amount to verify the validity of the commitment.
- –
verifies the validity of the range proof through the VerRange function of the Bulletproofs algorithm. The equation is as follows:
- –
verifies the validity of the knowledge proof by using the validation function of ECDSA algorithm.
- –
sends , , , , to the audit nodes, if all the verifications are correct; otherwise, the bank rejects all the data.
Audit node: When the audit nodes receive the data sent by the bank, they
- –
verify the validity of the range proof through the VerRange function of the Bulletproofs algorithm. The equation is as follows:
- –
uploan = (, , , , ) to blockchain; otherwise, if one of the signatures is not valid, the audit node reject the data from the bank.